Multi-Port SSH brute force protection
I was checking my authlog today and noticed the following series of brute force login attempts: Nov 1 01:37:04 solar sshd[8173]: Failed password for root from 58.211.1.163 port 8895 ssh2 Nov 1 01:37:04 solar sshd[10692]: Received disconnect from 58.211.1.163: 11: Bye Bye Nov 1 01:37:06 solar sshd[6273]: Failed password for root from 58.211.1.163 port 9052 ssh2 Nov 1 01:37:06 solar sshd[21047]: Received disconnect from 58.211.1.163: 11: Bye Bye First off login as root is disabled, so not much they can do here, but I'd like to try and setup up some kind of throttling protection for these sorts of attacks. Unfortunately they keep changing ports, so the traditional port 22 protection isn't going to work. I'm wondering if there's something similar to spamd for sshd that can handle this sort of throttling before handing off to the real server, or if sshd has some functionality to do that on its own. Thanks ahead of time for any suggestions. - Onteria
Re: Multi-Port SSH brute force protection
pf and tables are your friends. On 11/01/10 11:30, onteria wrote: > I was checking my authlog today and noticed the following series of > brute force login attempts: > > Nov 1 01:37:04 solar sshd[8173]: Failed password for root from > 58.211.1.163 port 8895 ssh2 > Nov 1 01:37:04 solar sshd[10692]: Received disconnect from > 58.211.1.163: 11: Bye Bye > Nov 1 01:37:06 solar sshd[6273]: Failed password for root from > 58.211.1.163 port 9052 ssh2 > Nov 1 01:37:06 solar sshd[21047]: Received disconnect from > 58.211.1.163: 11: Bye Bye > > First off login as root is disabled, so not much they can do here, but > I'd like to try and setup up some kind of throttling protection for > these sorts of attacks. Unfortunately they keep changing ports, so the > traditional port 22 protection isn't going to work. I'm wondering if > there's something similar to spamd for sshd that can handle this sort of > throttling before handing off to the real server, or if sshd has some > functionality to do that on its own. Thanks ahead of time for any > suggestions. > > - Onteria > -- Sending from my Computer.
Re: Multi-Port SSH brute force protection
> You are confusing the origination port numbers, which can be any random port > number, with the destination port number -- the destination port number is the > port your server is listening on, and that will be 22 by default. Ouch, I just realized the idiocy of my previous email upon reading that. > Throttle with PF's stateful tracking options -- see the examples of using > "overload" with "flush" in the PF User's Guide -- Packet Filtering chapter. RTFM now. Thanks again for your help. - Onteria
Re: Multi-Port SSH brute force protection
On Mon, 1 Nov 2010 07:30:50 -0700, onteria wrote > I was checking my authlog today and noticed the following series of > brute force login attempts: > > Nov 1 01:37:04 solar sshd[8173]: Failed password for root from > 58.211.1.163 port 8895 ssh2 > Nov 1 01:37:04 solar sshd[10692]: Received disconnect from > 58.211.1.163: 11: Bye Bye > Nov 1 01:37:06 solar sshd[6273]: Failed password for root from > 58.211.1.163 port 9052 ssh2 > Nov 1 01:37:06 solar sshd[21047]: Received disconnect from > 58.211.1.163: 11: Bye Bye > > First off login as root is disabled, so not much they can do here, > but I'd like to try and setup up some kind of throttling protection for > these sorts of attacks. Unfortunately they keep changing ports, so > the traditional port 22 protection isn't going to work. You are confusing the origination port numbers, which can be any random port number, with the destination port number -- the destination port number is the port your server is listening on, and that will be 22 by default. Throttle with PF's stateful tracking options -- see the examples of using "overload" with "flush" in the PF User's Guide -- Packet Filtering chapter.
Re: Multi-Port SSH brute force protection
On Mon, Nov 1, 2010 at 8:30 AM, onteria wrote: > I was checking my authlog today and noticed the following series of > brute force login attempts: > > Nov B 1 01:37:04 solar sshd[8173]: Failed password for root from > 58.211.1.163 port 8895 ssh2 > Nov B 1 01:37:04 solar sshd[10692]: Received disconnect from > 58.211.1.163: 11: Bye Bye > Nov B 1 01:37:06 solar sshd[6273]: Failed password for root from > 58.211.1.163 port 9052 ssh2 > Nov B 1 01:37:06 solar sshd[21047]: Received disconnect from > 58.211.1.163: 11: Bye Bye > > First off login as root is disabled, so not much they can do here, but > I'd like to try and setup up some kind of throttling protection for > these sorts of attacks. Unfortunately they keep changing ports, so the > traditional port 22 protection isn't going to work. I'm wondering if > there's something similar to spamd for sshd that can handle this sort of > throttling before handing off to the real server, or if sshd has some > functionality to do that on its own. Thanks ahead of time for any > suggestions. > > - Onteria > > There is sshguard in ports, or you can read the archives for some pf max-src-conn-rate magic (or pf.conf(5)).
Re: Multi-Port SSH brute force protection
On Mon, Nov 1, 2010 at 2:30 PM, onteria wrote: > I was checking my authlog today and noticed the following series of > brute force login attempts: > > Nov 1 01:37:04 solar sshd[8173]: Failed password for root from > 58.211.1.163 port 8895 ssh2 > Nov 1 01:37:04 solar sshd[10692]: Received disconnect from > 58.211.1.163: 11: Bye Bye > Nov 1 01:37:06 solar sshd[6273]: Failed password for root from > 58.211.1.163 port 9052 ssh2 > Nov 1 01:37:06 solar sshd[21047]: Received disconnect from > 58.211.1.163: 11: Bye Bye > > First off login as root is disabled, so not much they can do here, but > I'd like to try and setup up some kind of throttling protection for > these sorts of attacks. Unfortunately they keep changing ports, so the > traditional port 22 protection isn't going to work. I'm wondering if > there's something similar to spamd for sshd that can handle this sort of > throttling before handing off to the real server, or if sshd has some > functionality to do that on its own. Thanks ahead of time for any > suggestions. Hi, You have pf :) . Check "max-src-conn-rate / " on the man page. Regards, Ari Constancio
Re: Multi-Port SSH brute force protection
On Mon, Nov 1, 2010 at 3:30 PM, onteria wrote: > I was checking my authlog today and noticed the following series of > brute force login attempts: > > Nov B 1 01:37:04 solar sshd[8173]: Failed password for root from > 58.211.1.163 port 8895 ssh2 > Nov B 1 01:37:04 solar sshd[10692]: Received disconnect from > 58.211.1.163: 11: Bye Bye > Nov B 1 01:37:06 solar sshd[6273]: Failed password for root from > 58.211.1.163 port 9052 ssh2 > Nov B 1 01:37:06 solar sshd[21047]: Received disconnect from > 58.211.1.163: 11: Bye Bye > > First off login as root is disabled, so not much they can do here, but > I'd like to try and setup up some kind of throttling protection for > these sorts of attacks. Unfortunately they keep changing ports, so the > traditional port 22 protection isn't going to work. I'm wondering if > there's something similar to spamd for sshd that can handle this sort of > throttling before handing off to the real server, or if sshd has some > functionality to do that on its own. Thanks ahead of time for any > suggestions. This problem is quite active for at least last two years and quite a lot about that was written eg. here http://bsdly.blogspot.com/ so I can recommend it for reading. If you will disable passwords completely and use keys instead then you will have much less problems. > > - Onteria
Re: Multi-Port SSH brute force protection
> This problem is quite active for at least last two years and quite a > lot about that was written eg. here http://bsdly.blogspot.com/ so I > can recommend it for reading. If you will disable passwords completely > and use keys instead then you will have much less problems. Yes, looking over a few sites I'm moving to key based authentication as I type this email. Thank you for the blog link. This looks to be a very good read for enhancing OpenBSD knowledge. - Onteria
Re: Multi-Port SSH brute force protection
On Mon, 1 Nov 2010, Gonzalo L. R. wrote: > From: Gonzalo L. R. > To: misc@openbsd.org > Date: Mon, 1 Nov 2010 14:39:41 > Subject: Re: Multi-Port SSH brute force protection > > pf and tables are your friends. More precisely, Peter Hansteen is your friend: http://home.nuug.no/~peter/pf/en/bruteforce.html -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: Multi-Port SSH brute force protection
* Dennis Davis [2010-11-01 17:19]: > More precisely, Peter Hansteen is your friend: > > http://home.nuug.no/~peter/pf/en/bruteforce.html and funny enough - I use that technique for ages, and only ever trapped myself with it once. While sitting on a table at ottawa uni - with peter. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting